4 Answers
4

dnsmasq is far easier to configure as a DNS aggregator/caching daemon than BIND, and for that purpose, the performance might just be better. If you turn logging up to "debug", all the questions and answers show up in whatever syslog has configured for debug messages.

Dnsmasq also makes it easy to get rid of abusive advertisers and dirtbag privacy invading "analytic" creeps by aliasing entire domains to 127.0.0.1

Given how large bind is and its lackluster security record, I think many people would hesitate to install something like that for the sole purpose of logging.
–
jw013Jul 23 '12 at 1:16

doesn't bind have the issue that the nameservers in /etc/resolv.conf are not used but nameservers must be listed explicitly in the bind config?
–
BananguinJul 23 '12 at 7:12

No. /etc/resolv.conf is the system resolver list. Bind's default configuration is to look up the authoritative name servers and ask them. You could forward all requests to a specific server (or set, such as your ISP, OpenDNS or Google Public DNS) but it's not required to do so in the config. I do this all the time. I can't even count the number of times I've set up caching only name servers.
–
bahamatJul 23 '12 at 15:19

If I recall correctly Snort can selectively monitor traffic based on user defined rules. However, Snort will not create logs for DNS requests when your computer, i.e. its resolver, can answer the question from its cache.